Google’s Safe Browsing initiative has been protecting users from web pages that install malware for over five years now. Each day we show around 3 million malware warnings to over four hundred million users whose browsers implement the Safe Browsing API. Like other service providers, we are engaged in an arms race with malware distributors. Over time, we have adapted our original system to incorporate new detection algorithms that allow us to keep pace. We recently completed an analysis of four years of data that explores the evasive techniques that malware distributors employ. We compiled the results in a technical report, entitled “Trends in Circumventing Web-Malware Detection.”

Below are a few of the research highlights, but we recommend reviewing the full report for details on our methodology and measurements. The analysis covers approximately 160 million web pages hosted on approximately 8 million sites.

Social Engineering
Social engineering is a malware distribution mechanism that relies on tricking a user into installing malware. Typically, the malware is disguised as an anti-virus product or browser plugin. Social engineering has increased in frequency significantly and is still rising. However, it’s important to keep this growth in perspective — sites that rely on social engineering comprise only 2% of all sites that distribute malware.

Number of sites distributing Social Engineering Malware and Exploits over time

Drive-by Download Exploit Trends
Far more common than social engineering, malicious pages install malware after exploiting a vulnerability in the browser or a plugin. This type of infection is often called a drive-by download. Our analysis of which vulnerabilities are actively being exploited over time shows that adversaries quickly switch to new and more reliable exploits to help avoid detection. The graph below shows the ratio of exploits targeting a vulnerability in one CVE to all exploits over time. Most vulnerabilities are exploited only for a short period of time until new vulnerabilities become available. A prominent exception is the MDAC vulnerability which is present in most exploit kits.

Prevalence of exploits targeting specific CVEs over time

Increase in IP Cloaking
Malware distributors are increasingly relying upon ‘cloaking’ as a technique to evade detection. The concept behind cloaking is simple: serve benign content to detection systems, but serve malicious content to normal web page visitors. Over the years, we have seen more malicious sites engaging in IP cloaking. To bypass the cloaking defense, we run our scanners in different ways to mimic regular user traffic.

Number of sites practicing IP Cloaking over time

New Detection Capabilities
Our report analyzed four years of data to uncover trends in malware distribution on the web, and it demonstrates the ongoing tension between malware distributors and malware detectors. To help protect Internet users, even those who don’t use Google, we have updated the Safe Browsing infrastructure over the years to incorporate many state-of-the-art malware detection technologies. We hope the findings outlined in this report will help other researchers in this area and raise awareness of some of the current challenges.